Page MenuHomePhabricator
Create Task
Maniphest T7160

Allow administrators to irrevocably destroy all data for a cancelled instance
Closed, ResolvedPublic
Actions

Description

After canceling an instance, administrators should be able to irrevocably destroy it. This should delete all data, all backups, all repositories and all file storage. We should document exactly what is deleted and what is retained (e.g., we'll probably retain snapshots of backups for 48 hours or something because it is technically impractical to destroy them, and we should reserve the instance name itself so another one can't be registered in its place).

One concern here is accidental / malicious deletion. Some possible measures:

  • Allow administrators to disable this feature (i.e., "this is too much power, remove this button and require an email to support in order to destroy instance data").
  • Pass this feature through human review in the first place (i.e., someone on staff checks the request and makes sure the instance isn't still active, the account doesn't look compromised, etc).
  • Require all administrators on an account to sign off (kind of fluff, since the attacker can remove them, but it could be something like "all users who were administrators in the last 24 hours need to approve").
  • Allow the deletion to be cancelled for 24 hours before it actually happens.

I don't think this feature is hugely important, but I suspect we can have a more straightforward approach here than Facebook's "disable + regret 95% of the time, so destruction has to be super hard" workflow.

Event Timeline

epriestley created this task.Feb 4 2015, 3:47 PM
epriestley raised the priority of this task from to Needs Triage.
epriestley updated the task description. (Show Details)
epriestley added a project: Phacility.
epriestley moved this task to Backlog on the Phacility board.
epriestley updated the task description. (Show Details)
epriestley added a subscriber: epriestley.
epriestley moved this task from Backlog to Do After Launch on the Phacility board.Feb 4 2015, 7:29 PM
johnny-bit awarded a token.Feb 4 2015, 9:58 PM
johnny-bit added a subscriber: johnny-bit.Feb 4 2015, 10:07 PM

I admire Your concern with malicious deletion.

I can suggest with human review one more thing that our high-paying customers are receiving - a phone call.

This may not be as involved. For example You can have sms sent to known customer phone with warning and request for confirmation with code. For more important customers when it's rather unlikely that they really want to delete - phone call.

I'd also advise on extending deletion cancelation wait. 24h may start on friday evening and end on saturday, when nobody would look. We actually use 14 day period on which service is put on hold (not working + warning for all users that it's pending delete). After all that we delete and retain backups for another 14 days, so we never get told that something is "gone too fast"

Mnkras added a subscriber: Mnkras.Feb 5 2015, 12:27 AM

Could always force 2 Factor auth possibly

What does amazon do to protect against instances being maliciously removed?

epriestley moved this task from Do After Launch to Do Eventually on the Phacility board.Feb 27 2015, 12:55 AM
epriestley closed this task as Resolved.Jan 28 2016, 5:37 PM
epriestley claimed this task.

bin/host destroy exists now and no one has specifically asked for this, so I think it's OK to leave it as an "email us" option until the workload justifies making it explicit.

Phabricator · Built by Phacility